General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law which came into effect on May 25, 2018, and affects any company that processes data for EU residents, regardless of the business location. GDPR will apply to your hotel if you have guests (and therefore hold data about them) from any of the EU countries.
To ensure HotelREZ is compliant with GDPR, we
- Trained employees about GDPR and the impact on the way we handle data
- Documented all of our data processing activities
- Changed our systems, contracts and processes to comply with the GDPR
- Created a way to communicate continual updates with regards to GDPR
We will continue to keep abreast of new legislation and best practice to identify ongoing privacy compliance requirements. We will also continue to train staff about data protection and security.
How does GDPR affect hotels?
The rules introduced in May 2018 will impact any organisation that processes personal data. The hotel industry is particularly affected for the following reasons:
- Hotels obtain high volumes of personal data for guests, and process a large number of payment-card transactions daily.
- Hotels receive personal data from many sources, such as third-party booking systems and corporate websites.
- Some hotels may operate CCTV-systems.
- Some hotels conduct profiling activities of customers.
- Hotels enjoy a high turnover of employees, and independent contractors.
All of these activities involve the handling of personal and sensitive data on a larger scale.
Under the GDPR, a misuse or breach of personal data not only carries the risk of administrative fines, but could also hurt reputations and result in damage claims. The GDPR will affect owners and operators alike. Please watch this space for updates as they become available, or visit any of the following resources for additional information:
- The History of the General Data Protection Regulation
- Full text of the GDPR
- Hospitality: Unprepared for GDPR
For information specific to your business, please send an email to [email protected]
GDPR Frequently Asked Questions
What is the GDPR?
GDPR establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU. Many of these rules already existed under previous EU law, but some rules are now stricter, some are less burdensome, and some are brand new.
The rules reach beyond the physical borders of the EU and apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behaviour of those people (including through the use of cookies).
Key Principles of GDPR;
- Organizations must always process personal data lawfully, fairly, and in a transparent manner.
- Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
- Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
- Personal data must be accurate and, where necessary, kept up to date.
- Personal data must be kept only for as long as it’s needed to fulfil the original purpose of collection.
- Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.
The GDPR grants data subjects a number of rights regarding how controllers handle their data. These rights require controllers to have systems in place to respond to and effectively address data subjects’ requests.
- Data Access: Data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared.
- Right to Object: Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.
- Data Rectification: Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.
- Restriction of Processing: Data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party.
- Data Portability: In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (for example, a .csv file) so that they can transmit their own personal data to another company.
- Right to Erasure: Also known as “the right to be forgotten,” this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.
What data is “personal data” as defined by the GDPR?
Any information related to an identified or identifiable natural person (an individual or ‘data subject.’) A data subject can be identified or identifiable, directly or indirectly by a variety of pieces of information (e.g. name, ID number, location data, etc.). Some examples of potential personal data include a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address. The definition of “personal data” is very broad.